HitmanPro.ALERT Support and Discussion Thread

Is there a way to scan NAS drives with Hitman pro? Right-click scan does not work.

 

On chrome 69 I am getting ROP crashes with HMPA, the last one came within seconds of starting a netflix stream.

 

Do you use ESET, by any chance? If so, then your issue may be fixed with the latest HMPA beta build 761, that fixes a compatibility issue with ESET Smart Security in combination with Google Chrome.
If you do not use ESET, was there a HMPA alert, of which you could provide the alert details from Event Viewer?

 

I updated to build 759 and all seems good, I am also aware of 761 now as well but as its a testing build I stayed on 759, I think I was affected by the widevine ROP bug.

 

Ah, yes, HMPA 3.7.9 build 759 "fixed false positive ROP detection (stack-based) in Google Chrome 69 caused by (DRM) widevinecdm.dll".
I did not expect you were not on 3.7.9.759 already, as previous builds were automatically updated to 759, since September 17th.

 

Maybe this has already been addressed in the mean time, but not to have to go through so many posts, is Alert3 compatible again with Sandboxie? (No biggie if it wouldn't be, but just wondering.)

 

I run them together.

I see my Sandboxie.ini contains the following template under [GlobalSettings]: Template=HitmanProAlert
Not sure if Sandboxie picks that up automatically, or if you need to add that manually if you install HMPA after Sandboxie ...

In HMPA, under Process Protection, I have 'Local Privilege Mitigation' unchecked. IIRC this was because of Sandboxie, but not sure if is (still) necessary.

Someone more knowledgeable can give more info.?

 

How to protect ESET Banking & Payment protection? I can not add it to running programs because it can not restart it.

 

Hi feerf56,
That won't work Alert and ESET Banking protection don't play well, so we cannot protect that.

 

Thank You for answer. Then I'll stay (using) at the latest the bank account container of the latest Firefox. https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/,
I think it protects HitmanPro.Alert. https://www.dropbox.com/s/0qjch39dvumsrut/2018-10-04_073121.jpg?dl=0

 

any idea what has happened (ROP exp. mitigation protected firefox), htpro just got triggered without me doing anything dangerous , ui32.exe is wallpaper engine, I right clicked on it in process manager to search online for it and firefox opened (the default browser). I hope this is false positive. That keycry 4 might be from zemana:

Spoiler

Log Name: Application
Source: HitmanPro.Alert
Date: 04-Oct-18 9:48:14 PM
Event ID: 911
Task Category: Mitigation
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Mitigation ROP

Platform 6.1.7601/x64 v759 06_5e
PID 5536
Feature 000718341FBFB196
Application C:\Program Files\Firefox Nightly\firefox.exe
Description Firefox Nightly 64

Callee Type ProtectVirtualMemory
0x000007FEFD6350A0 (32 bytes)

Branch Trace Opcode To
---------------------------------------- -------- ----------------------------------------
GetModuleHandleW +0x33 RET 0x000007FEFD791CD9 KEYCRY~4.DLL ^0002
0x000007FEFDB93323 KernelBase.dll

GetUserDefaultLCID +0x24b RET GetModuleHandleW +0x22 ^0002
0x000007FEFDB9326B KernelBase.dll 0x000007FEFDB93312 KernelBase.dll

GetCurrentThread +0x2c RET GetUserDefaultLCID +0x234 ^0008
0x000007FEFDB9138C KernelBase.dll 0x000007FEFDB93254 KernelBase.dll

GetUserDefaultLCID +0x297 RET GetUserDefaultLCID +0x1b6 ^0002
0x000007FEFDB932B7 KernelBase.dll 0x000007FEFDB931D6 KernelBase.dll

LdrGetDllHandle +0x20 RET GetUserDefaultLCID +0x280 ^0001
0x00000000779E8650 ntdll.dll 0x000007FEFDB932A0 KernelBase.dll

LdrGetDllHandleEx +0x2f4 RET LdrGetDllHandle +0x1c ^0002
0x00000000779E4FE4 ntdll.dll 0x00000000779E864C ntdll.dll

RtlRetrieveNtUserPfn +0xfc RET LdrGetDllHandleEx +0x2d8 ^0006
0x0000000077A06E14 ntdll.dll 0x00000000779E4FC8 ntdll.dll

RtlLeaveCriticalSection +0x40 RET LdrGetDllHandleEx +0x297 ^0023
0x00000000779CC0F0 ntdll.dll 0x00000000779E4F87 ntdll.dll

0x0000000077AA49C7 ntdll.dll RET LdrGetDllHandleEx +0x217 ^0008
0x00000000779E4F07 ntdll.dll

RtlUpcaseUnicodeChar +0x138 RET 0x0000000077AA494D ntdll.dll ^0007
0x00000000779D0578 ntdll.dll

RtlEqualUnicodeString +0x7b RET 0x0000000077A2BEDF ntdll.dll ^011D
0x00000000779D060B ntdll.dll

RtlEqualUnicodeString +0x82 RET 0x0000000077A2BEDF ntdll.dll ^000A
0x00000000779D0612 ntdll.dll

RtlEqualUnicodeString +0x67 RET 0x0000000077A2BEDF ntdll.dll ^003B
0x00000000779D05F7 ntdll.dll

RtlEqualUnicodeString +0x82 RET 0x0000000077A2BEDF ntdll.dll ^0010
0x00000000779D0612 ntdll.dll

RtlEqualUnicodeString +0x67 RET 0x0000000077A2BEDF ntdll.dll ^004A
0x00000000779D05F7 ntdll.dll

RtlEqualUnicodeString +0x67 RET 0x0000000077A2BEDF ntdll.dll ^0040
0x00000000779D05F7 ntdll.dll

RtlEqualUnicodeString +0x82 RET 0x0000000077A2BEDF ntdll.dll ^0013
0x00000000779D0612 ntdll.dll

RtlUpcaseUnicodeChar +0xaa RET 0x0000000077A2BE68 ntdll.dll ^001B
0x00000000779D04EA ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0008
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0007
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0007
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0007
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0007
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0004
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

0x0000000000B6001C (anonymous) ~ RET PeekMessageW +0xf ^0116
0x00000000777A8FE3 user32.dll

0x000007FEFD7953B7 KEYCRY~4.DLL RET 0x000007FEFD79454D KEYCRY~4.DLL ^00C5

PeekMessageW +0xd ~ RET* 0x000007FEFD794500 KEYCRY~4.DLL ^0302
0x00000000777A8FE1 user32.dll
48895c2408 MOV [RSP+0x8], RBX
4889742410 MOV [RSP+0x10], RSI
48897c2418 MOV [RSP+0x18], RDI
4154 PUSH R12
4155 PUSH R13
4156 PUSH R14
4883ec40 SUB RSP, 0x40
458be1 MOV R12D, R9D
458be8 MOV R13D, R8D
4c8bf2 MOV R14, RDX
488bf1 MOV RSI, RCX
c744243000000000 MOV DWORD [RSP+0x30], 0x0
8b9c2480000000 MOV EBX, [RSP+0x80]
8bc3 MOV EAX, EBX
2401 AND AL, 0x1
3c01 CMP AL, 0x1
(216EC2983C562F77)


GetQueueStatus +0x2a ~ RET 0x000007FEC16DA5E3 xul.dll ^004A
0x000000007779B93A user32.dll

GetQueueStatus +0x60 ~ RET GetQueueStatus +0x26 ^00F3
0x000000007779B970 user32.dll 0x000000007779B936 user32.dll

InitializeLpkHooks +0x9e ~ RET GetQueueStatus +0x5c ^014A
0x00000000777AA5BA user32.dll 0x000000007779B96C user32.dll

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 000007FEFDBA1413 KernelBase.dll VirtualProtectEx +0x33
2 000007FEFDBA13CB KernelBase.dll VirtualProtect +0x1b

3 000007FEFD791D1A KEYCRY~4.DLL
85c0 TEST EAX, EAX
7470 JZ 0x7fefd791d8e
48895c2430 MOV [RSP+0x30], RBX
498bcc MOV RCX, R12
48894c2428 MOV [RSP+0x28], RCX
0f1f440000 NOP DWORD [RAX+RAX+0x0]
8bc7 MOV EAX, EDI
ffc7 INC EDI
897c2420 MOV [RSP+0x20], EDI
83f820 CMP EAX, 0x20
7321 JAE 0x7fefd791d5e
0fb603 MOVZX EAX, BYTE [RBX]
3801 CMP [RCX], AL
7418 JZ 0x7fefd791d5c
8801 MOV [RCX], AL
48ffc1 INC RCX

4 000007FEFD792493 KEYCRY~4.DLL InjectMe +0x1b3
5 00000000778A59CD kernel32.dll BaseThreadInitThunk +0xd
6 0000000077A0385D ntdll.dll RtlUserThreadStart +0x1d

Loaded Modules
-----------------------------------------------------------------------------
000000013F190000-000000013F218000 firefox.exe (Mozilla Corporation),
version: 64.0a1
00000000779B0000-0000000077B4F000 ntdll.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
0000000077890000-00000000779AF000 KERNEL32.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEFD7C0000-000007FEFD900000 hmpalert.dll (SurfRight B.V.),
version: 3.7.9.759
000007FEFDB90000-000007FEFDBFA000 KERNELBASE.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEFDF70000-005C0838FE04B000 ADVAPI32.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEFE430000-006E086DFE4CF000 msvcrt.dll (Microsoft Corporation),
version: 7.0.7601.17744 (win7sp1_gdr.111215-1535)
000007FEFE570000-000007FEFE58F000 sechost.dll (Microsoft Corporation),
version: 6.1.7601.18869 (win7sp1_gdr.150525-0603)
000007FEFFB70000-002D082FFFC9D000 RPCRT4.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEF54E0000-000007FEF551D000 mozglue.dll (Mozilla Foundation),
version: 64.0a1
000007FEFA1C0000-000007FEFA2E5000 dbghelp.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFC340000-000007FEFC34C000 VERSION.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF5440000-000007FEF54DB000 MSVCP140.dll (Microsoft Corporation),
version: 14.15.26706.0 built by: VCTOOLSREL
000007FEF6CF0000-000007FEF6D06000 VCRUNTIME140.dll (Microsoft Corporation),
version: 14.15.26706.0 built by: VCTOOLSREL
000007FEF76C0000-000007FEF76C4000 api-ms-win-crt-runtime-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5340000-000007FEF543A000 ucrtbase.DLL (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF76B0000-000007FEF76B3000 api-ms-win-core-localization-l1-2-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF7650000-000007FEF7653000 api-ms-win-core-processthreads-l1-1-1.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF7630000-0A0D152CF7633000 api-ms-win-core-file-l1-2-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6580000-000007FEF6583000 api-ms-win-core-timezone-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6660000-000007FEF6663000 api-ms-win-core-file-l2-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6570000-000007FEF6573000 api-ms-win-core-synch-l1-2-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6560000-00000DE2F6564000 api-ms-win-crt-string-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6550000-756C7754F6553000 api-ms-win-crt-heap-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6540000-7A246972F6544000 api-ms-win-crt-stdio-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6530000-000007FEF6534000 api-ms-win-crt-convert-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6390000-000007FEF6393000 api-ms-win-crt-locale-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6380000-003007FFF6385000 api-ms-win-crt-math-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5320000-006C0867F5323000 api-ms-win-crt-time-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5330000-0046086AF5333000 api-ms-win-crt-filesystem-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5300000-006F0864F5303000 api-ms-win-crt-environment-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5310000-2A090E0BF5313000 api-ms-win-crt-utility-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
0000000077790000-4B304D047788A000 user32.dll (Microsoft Corporation),
version: 6.1.7601.23594 (win7sp1_ldr.161110-0600)
000007FEFF4D0000-000007FEFF537000 GDI32.dll (Microsoft Corporation),
version: 6.1.7601.24234 (win7sp1_ldr.180813-0600)
000007FEFF790000-000007FEFF79E000 LPK.dll (Microsoft Corporation),
version: 6.1.7601.24231 (win7sp1_ldr.180810-0600)
000007FEFFAA0000-000007FEFFB6B000 USP10.dll (Microsoft Corporation),
version: 1.0626.7601.23894 (win7sp1_ldr.170816-06
000007FEFF7A0000-000007FEFF7CE000 IMM32.DLL (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFF540000-000007FEFF649000 MSCTF.dll (Microsoft Corporation),
version: 6.1.7601.23915 (win7sp1_ldr.170913-0600)
000007FEFD790000-000007FEFD7AB000 KEYCRY~4.DLL (Zemana Ltd.),
version: 1.8.2.320
0000000077B50000-0000000077B57000 PSAPI.DLL (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF52B0000-000007FEF52B5000 api-ms-win-crt-multibyte-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF4FB0000-000007FEF5252000 nss3.dll (Mozilla Foundation),
version: 64.0a1
000007FEEE5B0000-000007FEEE5EB000 WINMM.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF4FA0000-000007FEF4FA9000 WSOCK32.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFDCC0000-000007FEFDD0D000 WS2_32.dll (Microsoft Corporation),
version: 6.1.7601.23451 (win7sp1_ldr.160511-0600)
000007FEFF950000-000007FEFF958000 NSI.dll (Microsoft Corporation),
version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)
000007FEF4F90000-000007FEF4F9E000 lgpllibs.dll (Mozilla Foundation),
version: 64.0a1
000007FEC1560000-000007FEC7479000 xul.dll (Mozilla Foundation),
version: 64.0a1
000007FEFE6C0000-000007FEFF44A000 SHELL32.dll (Microsoft Corporation),
version: 6.1.7601.24234 (win7sp1_ldr.180813-0600)
000007FEFFA20000-00000FFCFFA91000 SHLWAPI.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF6AE0000-00000FFCF6AE9000 AVRT.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFE230000-00000FFCFE42D000 ole32.dll (Microsoft Corporation),
version: 6.1.7601.24168 (win7sp1_ldr.180608-0600)
000007FEFA8F0000-00000FFCFA917000 IPHLPAPI.DLL (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFA8E0000-00000FFCFA8EB000 WINNSI.DLL (Microsoft Corporation),
version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)
000007FEFD9A0000-00000FFCFDB0D000 CRYPT32.dll (Microsoft Corporation),
version: 6.1.7601.23971 (win7sp1_ldr.171205-0600)
000007FEFD990000-00000FFCFD99F000 MSASN1.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF63E0000-00000FFCF63F8000 dwmapi.dll (Microsoft Corporation),
version: 6.1.7601.18917 (win7sp1_gdr.150709-0600)
000007FEF7430000-00000FFCF7486000 UxTheme.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFE050000-00000FFCFE227000 SETUPAPI.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFDB10000-00000FFCFDB46000 CFGMGR32.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFF6B0000-00000FFCFF78A000 OLEAUT32.dll (Microsoft Corporation),
version: 6.1.7601.24117
000007FEFDCA0000-00000FFCFDCBA000 DEVOBJ.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFDB50000-00000FFCFDB8B000 WINTRUST.dll (Microsoft Corporation),
version: 6.1.7601.23971 (win7sp1_ldr.171205-0600)
000007FEFA890000-00000FFCFA8A1000 WTSAPI32.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEDEA0000-00000FFCEDEB8000 dhcpcsvc.DLL (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFCAC0000-00000FFCFCADE000 USERENV.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFD7B0000-00000FFCFD7BF000 profapi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA810000-00000FFCFA83D000 ntmarta.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFF650000-00000FFCFF6A2000 WLDAP32.dll (Microsoft Corporation),
version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)
000007FEFD6C0000-00000FFCFD6CF000 CRYPTBASE.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEE0E10000-00000FFCE0FA7000 dwrite.dll (Microsoft Corporation),
version: 6.2.9200.22164 (win8_ldr.170506-0600)
000007FEEE3D0000-00000FFCEE3E5000 NLAapi.dll (Microsoft Corporation),
version: 6.1.7601.24000 (win7sp1_ldr.171231-1547)
000007FEDA2B0000-00000FFCDA2C5000 napinsp.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEDA290000-000007FEDA2A9000 pnrpnsp.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFCFF0000-00000FFCFD045000 mswsock.dll (Microsoft Corporation),
version: 6.1.7601.23451 (win7sp1_ldr.160511-0600)
000007FEFCE70000-00000FFCFCECB000 DNSAPI.dll (Microsoft Corporation),
version: 6.1.7601.24168 (win7sp1_ldr.180608-0600)
000007FEDD680000-00000FFCDD68B000 winrnr.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF81F0000-00000FFCF81F7000 wshtcpip.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFE4D0000-00000FFCFE569000 CLBCatQ.DLL (Microsoft Corporation),
version: 2001.12.8530.16385 (win7_rtm.090713-1255
000007FEEE680000-00000FFCEE68F000 wbemprox.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEE5F0000-0A0D152CEE676000 wbemcomn.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFD050000-000007FEFD068000 CRYPTSP.dll (Microsoft Corporation),
version: 6.1.7601.23471 (win7sp1_ldr.160614-0600)
000007FEFCD50000-4000083EFCD97000 rsaenh.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFD770000-000007FEFD784000 RpcRtRemote.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEE5B20000-9090988EE5B34000 wbemsvc.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEE5D10000-48C1934AE5DF2000 fastprox.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEE5CE0000-9090988EE5D07000 NTDSAPI.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFCB90000-C9855009FCBCD000 WINSTA.dll (Microsoft Corporation),
version: 6.1.7601.18540 (win7sp1_gdr.140716-150
000007FEB0910000-10419346B096D000 dxgi.dll (Microsoft Corporation),
version: 6.2.9200.16492 (win8_gdr_oobssr.130113-0
000007FEF4BC0000-90C3631EF4F84000 d2d1.dll (Microsoft Corporation),
version: 6.2.9200.16765 (win8_gdr.131119-150
000007FEF63A0000-598417D0F63D5000 XmlLite.dll (Microsoft Corporation),
version: 1.3.1001.0
000007FEEC9C0000-10419146ECA5C000 mscms.dll (Microsoft Corporation),
version: 6.1.7601.23971 (win7sp1_ldr.171205-0600)
000007FEFD660000-909098C1FD6B7000 apphelp.dll (Microsoft Corporation),
version: 6.1.7601.19050 (win7sp1_gdr.151029-0600)
000007FEF7B80000-00000806F7BEF000 Wpc.dll (Microsoft Corporation),
version: 1.0.0.1
000007FEFD280000-55059546FD2ED000 wevtapi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA870000-909098C1FA884000 samcli.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF75C0000-000007FEF75DD000 SAMLIB.dll (Microsoft Corporation),
version: 6.1.7601.23677 (win7sp1_ldr.170209-0600)
000007FEFC230000-000007FEFC23C000 netutils.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF6AF0000-000008DAF6B3B000 MMDevApi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF7490000-000007FEF75BC000 PROPSYS.dll (Microsoft Corporation),
version: 7.00.7601.17514 (win7sp1_rtm.101119-1850
000007FEEE410000-000007FEEE45F000 AUDIOSES.DLL (Microsoft Corporation),
version: 6.1.7601.23471 (win7sp1_ldr.160614-0600)
000007FEFE590000-0000082EFE6BA000 WININET.dll (Microsoft Corporation),
version: 8.00.7601.17514 (win7sp1_rtm.101119-1850
000007FEFF7D0000-000007FEFF948000 urlmon.dll (Microsoft Corporation),
version: 8.00.7601.17514 (win7sp1_rtm.101119-1850
000007FEFDD10000-000007FEFDF69000 iertutil.dll (Microsoft Corporation),
version: 8.00.7601.17514 (win7sp1_rtm.101119-1850
000007FEFA920000-000007FEFAB14000 comctl32.dll (Microsoft Corporation),
version: 6.10 (win7sp1_gdr.150424-0604)
000007FEFD630000-000007FEFD655000 SspiCli.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEF5260000-000007FEF52A5000 softokn3.dll (Mozilla Foundation),
version: 64.0a1
000007FEF4B20000-000007FEF4BBD000 freebl3.dll (Mozilla Foundation),
version: 64.0a1
000007FEFA780000-000007FEFA7E2000 RASAPI32.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA760000-000007FEFA77C000 rasman.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEECD0000-000007FEEECE1000 rtutils.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEEED00000-000007FEEED09000 sensapi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF4AB0000-000007FEF4B19000 nssckbi.dll (Mozilla Foundation),
version: 64.0a1
000007FEFCFE0000-000007FEFCFE7000 wship6.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEC610000-000007FEEC621000 dhcpcsvc6.DLL (Microsoft Corporation),
version: 6.1.7601.17970 (win7sp1_gdr.121009-0412)
000007FEE56D0000-000007FEE56D8000 rasadhlp.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEC700000-005C085FEC753000 fwpuclnt.dll (Microsoft Corporation),
version: 6.1.7601.24000 (win7sp1_ldr.171231-1547)
000007FEE48F0000-000007FEE4ABB000 explorerframe.dll (Microsoft Corporation),
version: 6.1.7601.24234 (win7sp1_ldr.180813-0600)
000007FEF6A90000-000007FEF6AD3000 DUser.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF6B40000-000007FEF6C32000 DUI70.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEDF1C0000-000007FEDF2AE000 actxprxy.dll (Microsoft Corporation),
version: 6.1.7601.24000 (win7sp1_ldr.171231-1547)

Code Injection
000000013F1DB000-000000013F1DC000 4KB C:\Program Files\Firefox Nightly\firefox.exe [5436]
000000013F1D7000-000000013F1D8000 4KB
1 C:\Program Files\Firefox Nightly\firefox.exe [5436]
"C:\Program Files\Firefox Nightly\firefox.exe" "? ui32.exe"
2 C:\Windows\explorer.exe [2688]
3 C:\Windows\System32\userinit.exe [2672]
4 C:\Windows\System32\winlogon.exe [992]
winlogon.exe

Process Trace
1 C:\Program Files\Firefox Nightly\firefox.exe [5536]
"C:\Program Files\Firefox Nightly\firefox.exe" "? ui32.exe"
2 C:\Program Files\Firefox Nightly\firefox.exe [5436]
"C:\Program Files\Firefox Nightly\firefox.exe" "? ui32.exe"
3 C:\Windows\explorer.exe [2688]
4 C:\Windows\System32\userinit.exe [2672]
5 C:\Windows\System32\winlogon.exe [992]
winlogon.exe

Thumbprint
4e37b1897413d95e4d08908363d419517d795137a5d1cc241986f08ea4c203dd
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="HitmanPro.Alert" />
<EventID Qualifiers="0">911</EventID>
<Level>2</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2018-10-04T19:48:14.000000000Z" />
<EventRecordID>3993</EventRecordID>
<Channel>Application</Channel>
<Computer>01-PC</Computer>
<Security />
</System>
<EventData>
<Data>C:\Program Files\Firefox Nightly\firefox.exe</Data>
<Data>ROP</Data>
<Data>Mitigation ROP

Platform 6.1.7601/x64 v759 06_5e
PID 5536
Feature 000718341FBFB196
Application C:\Program Files\Firefox Nightly\firefox.exe
Description Firefox Nightly 64

Callee Type ProtectVirtualMemory
0x000007FEFD6350A0 (32 bytes)

Branch Trace Opcode To
---------------------------------------- -------- ----------------------------------------
GetModuleHandleW +0x33 RET 0x000007FEFD791CD9 KEYCRY~4.DLL ^0002
0x000007FEFDB93323 KernelBase.dll

GetUserDefaultLCID +0x24b RET GetModuleHandleW +0x22 ^0002
0x000007FEFDB9326B KernelBase.dll 0x000007FEFDB93312 KernelBase.dll

GetCurrentThread +0x2c RET GetUserDefaultLCID +0x234 ^0008
0x000007FEFDB9138C KernelBase.dll 0x000007FEFDB93254 KernelBase.dll

GetUserDefaultLCID +0x297 RET GetUserDefaultLCID +0x1b6 ^0002
0x000007FEFDB932B7 KernelBase.dll 0x000007FEFDB931D6 KernelBase.dll

LdrGetDllHandle +0x20 RET GetUserDefaultLCID +0x280 ^0001
0x00000000779E8650 ntdll.dll 0x000007FEFDB932A0 KernelBase.dll

LdrGetDllHandleEx +0x2f4 RET LdrGetDllHandle +0x1c ^0002
0x00000000779E4FE4 ntdll.dll 0x00000000779E864C ntdll.dll

RtlRetrieveNtUserPfn +0xfc RET LdrGetDllHandleEx +0x2d8 ^0006
0x0000000077A06E14 ntdll.dll 0x00000000779E4FC8 ntdll.dll

RtlLeaveCriticalSection +0x40 RET LdrGetDllHandleEx +0x297 ^0023
0x00000000779CC0F0 ntdll.dll 0x00000000779E4F87 ntdll.dll

0x0000000077AA49C7 ntdll.dll RET LdrGetDllHandleEx +0x217 ^0008
0x00000000779E4F07 ntdll.dll

RtlUpcaseUnicodeChar +0x138 RET 0x0000000077AA494D ntdll.dll ^0007
0x00000000779D0578 ntdll.dll

RtlEqualUnicodeString +0x7b RET 0x0000000077A2BEDF ntdll.dll ^011D
0x00000000779D060B ntdll.dll

RtlEqualUnicodeString +0x82 RET 0x0000000077A2BEDF ntdll.dll ^000A
0x00000000779D0612 ntdll.dll

RtlEqualUnicodeString +0x67 RET 0x0000000077A2BEDF ntdll.dll ^003B
0x00000000779D05F7 ntdll.dll

RtlEqualUnicodeString +0x82 RET 0x0000000077A2BEDF ntdll.dll ^0010
0x00000000779D0612 ntdll.dll

RtlEqualUnicodeString +0x67 RET 0x0000000077A2BEDF ntdll.dll ^004A
0x00000000779D05F7 ntdll.dll

RtlEqualUnicodeString +0x67 RET 0x0000000077A2BEDF ntdll.dll ^0040
0x00000000779D05F7 ntdll.dll

RtlEqualUnicodeString +0x82 RET 0x0000000077A2BEDF ntdll.dll ^0013
0x00000000779D0612 ntdll.dll

RtlUpcaseUnicodeChar +0xaa RET 0x0000000077A2BE68 ntdll.dll ^001B
0x00000000779D04EA ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0008
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0007
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0007
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0007
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0007
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

RtlUpcaseUnicodeChar +0x1b RET RtlUpcaseUnicodeChar +0x86 ^0004
0x00000000779D045B ntdll.dll 0x00000000779D04C6 ntdll.dll

0x0000000000B6001C (anonymous) ~ RET PeekMessageW +0xf ^0116
0x00000000777A8FE3 user32.dll

0x000007FEFD7953B7 KEYCRY~4.DLL RET 0x000007FEFD79454D KEYCRY~4.DLL ^00C5

PeekMessageW +0xd ~ RET* 0x000007FEFD794500 KEYCRY~4.DLL ^0302
0x00000000777A8FE1 user32.dll
48895c2408 MOV [RSP+0x8], RBX
4889742410 MOV [RSP+0x10], RSI
48897c2418 MOV [RSP+0x18], RDI
4154 PUSH R12
4155 PUSH R13
4156 PUSH R14
4883ec40 SUB RSP, 0x40
458be1 MOV R12D, R9D
458be8 MOV R13D, R8D
4c8bf2 MOV R14, RDX
488bf1 MOV RSI, RCX
c744243000000000 MOV DWORD [RSP+0x30], 0x0
8b9c2480000000 MOV EBX, [RSP+0x80]
8bc3 MOV EAX, EBX
2401 AND AL, 0x1
3c01 CMP AL, 0x1
(216EC2983C562F77)


GetQueueStatus +0x2a ~ RET 0x000007FEC16DA5E3 xul.dll ^004A
0x000000007779B93A user32.dll

GetQueueStatus +0x60 ~ RET GetQueueStatus +0x26 ^00F3
0x000000007779B970 user32.dll 0x000000007779B936 user32.dll

InitializeLpkHooks +0x9e ~ RET GetQueueStatus +0x5c ^014A
0x00000000777AA5BA user32.dll 0x000000007779B96C user32.dll

Stack Trace
# Address Module Location
-- ---------------- ------------------------ ----------------------------------------
1 000007FEFDBA1413 KernelBase.dll VirtualProtectEx +0x33
2 000007FEFDBA13CB KernelBase.dll VirtualProtect +0x1b

3 000007FEFD791D1A KEYCRY~4.DLL
85c0 TEST EAX, EAX
7470 JZ 0x7fefd791d8e
48895c2430 MOV [RSP+0x30], RBX
498bcc MOV RCX, R12
48894c2428 MOV [RSP+0x28], RCX
0f1f440000 NOP DWORD [RAX+RAX+0x0]
8bc7 MOV EAX, EDI
ffc7 INC EDI
897c2420 MOV [RSP+0x20], EDI
83f820 CMP EAX, 0x20
7321 JAE 0x7fefd791d5e
0fb603 MOVZX EAX, BYTE [RBX]
3801 CMP [RCX], AL
7418 JZ 0x7fefd791d5c
8801 MOV [RCX], AL
48ffc1 INC RCX

4 000007FEFD792493 KEYCRY~4.DLL InjectMe +0x1b3
5 00000000778A59CD kernel32.dll BaseThreadInitThunk +0xd
6 0000000077A0385D ntdll.dll RtlUserThreadStart +0x1d

Loaded Modules
-----------------------------------------------------------------------------
000000013F190000-000000013F218000 firefox.exe (Mozilla Corporation),
version: 64.0a1
00000000779B0000-0000000077B4F000 ntdll.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
0000000077890000-00000000779AF000 KERNEL32.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEFD7C0000-000007FEFD900000 hmpalert.dll (SurfRight B.V.),
version: 3.7.9.759
000007FEFDB90000-000007FEFDBFA000 KERNELBASE.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEFDF70000-005C0838FE04B000 ADVAPI32.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEFE430000-006E086DFE4CF000 msvcrt.dll (Microsoft Corporation),
version: 7.0.7601.17744 (win7sp1_gdr.111215-1535)
000007FEFE570000-000007FEFE58F000 sechost.dll (Microsoft Corporation),
version: 6.1.7601.18869 (win7sp1_gdr.150525-0603)
000007FEFFB70000-002D082FFFC9D000 RPCRT4.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEF54E0000-000007FEF551D000 mozglue.dll (Mozilla Foundation),
version: 64.0a1
000007FEFA1C0000-000007FEFA2E5000 dbghelp.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFC340000-000007FEFC34C000 VERSION.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF5440000-000007FEF54DB000 MSVCP140.dll (Microsoft Corporation),
version: 14.15.26706.0 built by: VCTOOLSREL
000007FEF6CF0000-000007FEF6D06000 VCRUNTIME140.dll (Microsoft Corporation),
version: 14.15.26706.0 built by: VCTOOLSREL
000007FEF76C0000-000007FEF76C4000 api-ms-win-crt-runtime-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5340000-000007FEF543A000 ucrtbase.DLL (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF76B0000-000007FEF76B3000 api-ms-win-core-localization-l1-2-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF7650000-000007FEF7653000 api-ms-win-core-processthreads-l1-1-1.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF7630000-0A0D152CF7633000 api-ms-win-core-file-l1-2-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6580000-000007FEF6583000 api-ms-win-core-timezone-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6660000-000007FEF6663000 api-ms-win-core-file-l2-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6570000-000007FEF6573000 api-ms-win-core-synch-l1-2-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6560000-00000DE2F6564000 api-ms-win-crt-string-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6550000-756C7754F6553000 api-ms-win-crt-heap-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6540000-7A246972F6544000 api-ms-win-crt-stdio-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6530000-000007FEF6534000 api-ms-win-crt-convert-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6390000-000007FEF6393000 api-ms-win-crt-locale-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF6380000-003007FFF6385000 api-ms-win-crt-math-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5320000-006C0867F5323000 api-ms-win-crt-time-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5330000-0046086AF5333000 api-ms-win-crt-filesystem-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5300000-006F0864F5303000 api-ms-win-crt-environment-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF5310000-2A090E0BF5313000 api-ms-win-crt-utility-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
0000000077790000-4B304D047788A000 user32.dll (Microsoft Corporation),
version: 6.1.7601.23594 (win7sp1_ldr.161110-0600)
000007FEFF4D0000-000007FEFF537000 GDI32.dll (Microsoft Corporation),
version: 6.1.7601.24234 (win7sp1_ldr.180813-0600)
000007FEFF790000-000007FEFF79E000 LPK.dll (Microsoft Corporation),
version: 6.1.7601.24231 (win7sp1_ldr.180810-0600)
000007FEFFAA0000-000007FEFFB6B000 USP10.dll (Microsoft Corporation),
version: 1.0626.7601.23894 (win7sp1_ldr.170816-06
000007FEFF7A0000-000007FEFF7CE000 IMM32.DLL (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFF540000-000007FEFF649000 MSCTF.dll (Microsoft Corporation),
version: 6.1.7601.23915 (win7sp1_ldr.170913-0600)
000007FEFD790000-000007FEFD7AB000 KEYCRY~4.DLL (Zemana Ltd.),
version: 1.8.2.320
0000000077B50000-0000000077B57000 PSAPI.DLL (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF52B0000-000007FEF52B5000 api-ms-win-crt-multibyte-l1-1-0.dll (Microsoft Corporation),
version: 10.0.17134.12 (WinBuild.160101.0800)
000007FEF4FB0000-000007FEF5252000 nss3.dll (Mozilla Foundation),
version: 64.0a1
000007FEEE5B0000-000007FEEE5EB000 WINMM.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF4FA0000-000007FEF4FA9000 WSOCK32.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFDCC0000-000007FEFDD0D000 WS2_32.dll (Microsoft Corporation),
version: 6.1.7601.23451 (win7sp1_ldr.160511-0600)
000007FEFF950000-000007FEFF958000 NSI.dll (Microsoft Corporation),
version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)
000007FEF4F90000-000007FEF4F9E000 lgpllibs.dll (Mozilla Foundation),
version: 64.0a1
000007FEC1560000-000007FEC7479000 xul.dll (Mozilla Foundation),
version: 64.0a1
000007FEFE6C0000-000007FEFF44A000 SHELL32.dll (Microsoft Corporation),
version: 6.1.7601.24234 (win7sp1_ldr.180813-0600)
000007FEFFA20000-00000FFCFFA91000 SHLWAPI.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF6AE0000-00000FFCF6AE9000 AVRT.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFE230000-00000FFCFE42D000 ole32.dll (Microsoft Corporation),
version: 6.1.7601.24168 (win7sp1_ldr.180608-0600)
000007FEFA8F0000-00000FFCFA917000 IPHLPAPI.DLL (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFA8E0000-00000FFCFA8EB000 WINNSI.DLL (Microsoft Corporation),
version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)
000007FEFD9A0000-00000FFCFDB0D000 CRYPT32.dll (Microsoft Corporation),
version: 6.1.7601.23971 (win7sp1_ldr.171205-0600)
000007FEFD990000-00000FFCFD99F000 MSASN1.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF63E0000-00000FFCF63F8000 dwmapi.dll (Microsoft Corporation),
version: 6.1.7601.18917 (win7sp1_gdr.150709-0600)
000007FEF7430000-00000FFCF7486000 UxTheme.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFE050000-00000FFCFE227000 SETUPAPI.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFDB10000-00000FFCFDB46000 CFGMGR32.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFF6B0000-00000FFCFF78A000 OLEAUT32.dll (Microsoft Corporation),
version: 6.1.7601.24117
000007FEFDCA0000-00000FFCFDCBA000 DEVOBJ.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFDB50000-00000FFCFDB8B000 WINTRUST.dll (Microsoft Corporation),
version: 6.1.7601.23971 (win7sp1_ldr.171205-0600)
000007FEFA890000-00000FFCFA8A1000 WTSAPI32.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEDEA0000-00000FFCEDEB8000 dhcpcsvc.DLL (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFCAC0000-00000FFCFCADE000 USERENV.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFD7B0000-00000FFCFD7BF000 profapi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA810000-00000FFCFA83D000 ntmarta.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFF650000-00000FFCFF6A2000 WLDAP32.dll (Microsoft Corporation),
version: 6.1.7601.23889 (win7sp1_ldr.170810-1615)
000007FEFD6C0000-00000FFCFD6CF000 CRYPTBASE.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEE0E10000-00000FFCE0FA7000 dwrite.dll (Microsoft Corporation),
version: 6.2.9200.22164 (win8_ldr.170506-0600)
000007FEEE3D0000-00000FFCEE3E5000 NLAapi.dll (Microsoft Corporation),
version: 6.1.7601.24000 (win7sp1_ldr.171231-1547)
000007FEDA2B0000-00000FFCDA2C5000 napinsp.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEDA290000-000007FEDA2A9000 pnrpnsp.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFCFF0000-00000FFCFD045000 mswsock.dll (Microsoft Corporation),
version: 6.1.7601.23451 (win7sp1_ldr.160511-0600)
000007FEFCE70000-00000FFCFCECB000 DNSAPI.dll (Microsoft Corporation),
version: 6.1.7601.24168 (win7sp1_ldr.180608-0600)
000007FEDD680000-00000FFCDD68B000 winrnr.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF81F0000-00000FFCF81F7000 wshtcpip.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFE4D0000-00000FFCFE569000 CLBCatQ.DLL (Microsoft Corporation),
version: 2001.12.8530.16385 (win7_rtm.090713-1255
000007FEEE680000-00000FFCEE68F000 wbemprox.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEE5F0000-0A0D152CEE676000 wbemcomn.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEFD050000-000007FEFD068000 CRYPTSP.dll (Microsoft Corporation),
version: 6.1.7601.23471 (win7sp1_ldr.160614-0600)
000007FEFCD50000-4000083EFCD97000 rsaenh.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFD770000-000007FEFD784000 RpcRtRemote.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEE5B20000-9090988EE5B34000 wbemsvc.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEE5D10000-48C1934AE5DF2000 fastprox.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEE5CE0000-9090988EE5D07000 NTDSAPI.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFCB90000-C9855009FCBCD000 WINSTA.dll (Microsoft Corporation),
version: 6.1.7601.18540 (win7sp1_gdr.140716-150
000007FEB0910000-10419346B096D000 dxgi.dll (Microsoft Corporation),
version: 6.2.9200.16492 (win8_gdr_oobssr.130113-0
000007FEF4BC0000-90C3631EF4F84000 d2d1.dll (Microsoft Corporation),
version: 6.2.9200.16765 (win8_gdr.131119-150
000007FEF63A0000-598417D0F63D5000 XmlLite.dll (Microsoft Corporation),
version: 1.3.1001.0
000007FEEC9C0000-10419146ECA5C000 mscms.dll (Microsoft Corporation),
version: 6.1.7601.23971 (win7sp1_ldr.171205-0600)
000007FEFD660000-909098C1FD6B7000 apphelp.dll (Microsoft Corporation),
version: 6.1.7601.19050 (win7sp1_gdr.151029-0600)
000007FEF7B80000-00000806F7BEF000 Wpc.dll (Microsoft Corporation),
version: 1.0.0.1
000007FEFD280000-55059546FD2ED000 wevtapi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA870000-909098C1FA884000 samcli.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF75C0000-000007FEF75DD000 SAMLIB.dll (Microsoft Corporation),
version: 6.1.7601.23677 (win7sp1_ldr.170209-0600)
000007FEFC230000-000007FEFC23C000 netutils.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEF6AF0000-000008DAF6B3B000 MMDevApi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF7490000-000007FEF75BC000 PROPSYS.dll (Microsoft Corporation),
version: 7.00.7601.17514 (win7sp1_rtm.101119-1850
000007FEEE410000-000007FEEE45F000 AUDIOSES.DLL (Microsoft Corporation),
version: 6.1.7601.23471 (win7sp1_ldr.160614-0600)
000007FEFE590000-0000082EFE6BA000 WININET.dll (Microsoft Corporation),
version: 8.00.7601.17514 (win7sp1_rtm.101119-1850
000007FEFF7D0000-000007FEFF948000 urlmon.dll (Microsoft Corporation),
version: 8.00.7601.17514 (win7sp1_rtm.101119-1850
000007FEFDD10000-000007FEFDF69000 iertutil.dll (Microsoft Corporation),
version: 8.00.7601.17514 (win7sp1_rtm.101119-1850
000007FEFA920000-000007FEFAB14000 comctl32.dll (Microsoft Corporation),
version: 6.10 (win7sp1_gdr.150424-0604)
000007FEFD630000-000007FEFD655000 SspiCli.dll (Microsoft Corporation),
version: 6.1.7601.24236 (win7sp1_ldr_escrow.18081
000007FEF5260000-000007FEF52A5000 softokn3.dll (Mozilla Foundation),
version: 64.0a1
000007FEF4B20000-000007FEF4BBD000 freebl3.dll (Mozilla Foundation),
version: 64.0a1
000007FEFA780000-000007FEFA7E2000 RASAPI32.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEFA760000-000007FEFA77C000 rasman.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEECD0000-000007FEEECE1000 rtutils.dll (Microsoft Corporation),
version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
000007FEEED00000-000007FEEED09000 sensapi.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF4AB0000-000007FEF4B19000 nssckbi.dll (Mozilla Foundation),
version: 64.0a1
000007FEFCFE0000-000007FEFCFE7000 wship6.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEC610000-000007FEEC621000 dhcpcsvc6.DLL (Microsoft Corporation),
version: 6.1.7601.17970 (win7sp1_gdr.121009-0412)
000007FEE56D0000-000007FEE56D8000 rasadhlp.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEEC700000-005C085FEC753000 fwpuclnt.dll (Microsoft Corporation),
version: 6.1.7601.24000 (win7sp1_ldr.171231-1547)
000007FEE48F0000-000007FEE4ABB000 explorerframe.dll (Microsoft Corporation),
version: 6.1.7601.24234 (win7sp1_ldr.180813-0600)
000007FEF6A90000-000007FEF6AD3000 DUser.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEF6B40000-000007FEF6C32000 DUI70.dll (Microsoft Corporation),
version: 6.1.7600.16385 (win7_rtm.090713-1255)
000007FEDF1C0000-000007FEDF2AE000 actxprxy.dll (Microsoft Corporation),
version: 6.1.7601.24000 (win7sp1_ldr.171231-1547)

Code Injection
000000013F1DB000-000000013F1DC000 4KB C:\Program Files\Firefox Nightly\firefox.exe [5436]
000000013F1D7000-000000013F1D8000 4KB
1 C:\Program Files\Firefox Nightly\firefox.exe [5436]
"C:\Program Files\Firefox Nightly\firefox.exe" "? ui32.exe"
2 C:\Windows\explorer.exe [2688]
3 C:\Windows\System32\userinit.exe [2672]
4 C:\Windows\System32\winlogon.exe [992]
winlogon.exe

Process Trace
1 C:\Program Files\Firefox Nightly\firefox.exe [5536]
"C:\Program Files\Firefox Nightly\firefox.exe" "? ui32.exe"
2 C:\Program Files\Firefox Nightly\firefox.exe [5436]
"C:\Program Files\Firefox Nightly\firefox.exe" "? ui32.exe"
3 C:\Windows\explorer.exe [2688]
4 C:\Windows\System32\userinit.exe [2672]
5 C:\Windows\System32\winlogon.exe [992]
winlogon.exe

Thumbprint
4e37b1897413d95e4d08908363d419517d795137a5d1cc241986f08ea4c203dd</Data>
</EventData>
</Event>

about bugs I have found with it hitmanproalert: razer keyboards are blocked (means they stop working) if u enable "block bad usb (...)", obvious incompatibility with zemana when u enable key encryption: u won't type anything (but I guess thats fine), hitmanpro was a bit slow at finding newly installed browsers, opera portable is not compatible

 

That's to be expected since Zemana is also encrypting keystrokes. You need to turn off keystroke encryption in one or the other application.

 

yes it was obvious, zemana still works with other cryptors so thought I'd mention it anyway. Also not sure how encryption works with htmproalert, it appears to be system wide since I could not type at the system logon with it on which sounds good.

 

What happened when you tried to type at the system logon? I believe HMPA keystroke encryption is only supposed to be active in protected web browsers ( ? )

 

Spoiler

Mitigation Shellcode

Platform 10.0.17763/x64 v761 06_5e
PID 4204
Feature 00070A30000001A2
Application C:\Program Files (x86)\Imploded Software\Helium 13\Helium.App.exe
Description Helium 13.4

Shellcode (HHP) (0x00001000 bytes)

06A9076B ffd2 CALL EDX
06A9076D 8b4ddc MOV ECX, [EBP-0x24]
06A90770 8d6104 LEA ESP, [ECX+0x4]
06A90773 c6460801 MOV BYTE [ESI+0x8], 0x1
06A90777 833d4020907400 CMP DWORD [0x74902040], 0x0
06A9077E 7407 JZ 0x6a90787
06A90780 50 PUSH EAX
06A90781 e8faf1916d CALL 0x743af980
06A90786 58 POP EAX
06A90787 c745e000000000 MOV DWORD [EBP-0x20], 0x0
06A9078E 8bf8 MOV EDI, EAX
06A90790 e80b8d806d CALL 0x742994a0
06A90795 8b45ec MOV EAX, [EBP-0x14]
06A90798 897804 MOV [EAX+0x4], EDI
06A9079B 8b7dd4 MOV EDI, [EBP-0x2c]
06A9079E 897e0c MOV [ESI+0xc], EDI

----- SNIP HERE -----
AAMRAQAAqQZrB6kGAACpBgAQAAARBgCpBhECAAEAAREDABAAoAYYQHUBMACpBlgOqQYRAgCpBii9ogbQ/xEGAETBogYRBAAowaIGDJaoBlWL7FdWU1AzwIlF8Iv5i9oz0olV8FKNRfBQUovPi9PoYPP3/4XAdFOLVfC5thqAcuiLMbj6i/BWjUXwUGoAi8+L0+g98/f/hcB0UYtF8DtGBHQgi1XwubYagHLoYDG4+ov4V2oA/3Xwi84z0ugfpotti/eLxllbXl9dw7l8PM9y6AMwuPqL8Og0/odti9CLzujXQZZsi87o9KuNbbl8PM9y6OIvuPqL8OgT/odti9CLzui2QZZsi87o06uNbcwRBgCowaIGxMGiBkygqAZVi+xXVlOD7EyJRcQz24ld2Ild1Ild6GSLNSgOEQIAiXXMx0Ws8PoodMdFqEL8PuSLRgyJRbCJbcDHRbwRBACNRayJRgyJTciL8ot9EDPSiVXcjVXci03I6PNYEGyLyDPbhf90Col92IvHg8AIi9iLRQyJRdSLRcSLQBSLEP91CP91DFNWUcdFtBQRAwCLRcyJZbjHRbywAakGxkAIAP/Si024jWEUi03MxkEIAYM9QCCQdAB0B1DotPeRbVjHRbwRBACL8OjFkoBthfYPlcAPtsCJRdDHReQRBADHRej8EQMAaAACqQbrDotF0Oscx0XoEQQA6/IPtkXchcB0CItNyOh3WBBsWP/gi3XMi32wiX4MJf8RAwCNZfRbXl9dwgwRBQDwwaIGEQQA4MGiBiCVqAZVi+xXVlOL+otZBDtfBHUsM/aF234cD7ZEMQg7dwRzIzpENwh0BzPAW15fXcNGO95/5LgBEQMAW15fXcMzwFteX13D6KAxtG3MEQcAyMaiBojGogakxqIGqHOoBlWL7FdWU4PsJIvxjX3QuQgRAwAzwPOri86L+bkgoagG6PstuPqL8IvO/xVgoagGi86L1/8VCKGoBovwhfYPhKURAwC5HMf2cejTLbj6i9iLy4vX6NzPjGuLy4sBi0As/1AQi8hqBYsVyBZBBDkJ6CV9F2wjxg+28Otui/CLzosBi0Ao/1AQi9iNfdAPV8BmD9YHZg/WRwi5XkMRAgC6aG/bBeiyvYdti9BTjU3Q6EegD2y5oicRAgC6aG/bBeiYvYdti9CNRdD/cAz/cAj/cAT/MDPJ6IF2EGyLyIvW/xWc6tsFi8joQKmNbYX2dAiNZfRbXl9dw7mZSBECALpob9sF6FW9h22L0DPJ/xXEaagGi8j/FZDq2wWLyOgMqY1tzBELAAzHogYRBAAEx6IG8KCoBlWL7Ogw3ff/XcMRBgCsyKIGEQQAmMiiBvigqAZVi+xXVlOL+cdHDBEE/7loD8ty6K8suPqL8IsVACM/BIXSdQQzyesDi0oEagBRahCLzugIbxBsi866AAERAgDoUPD3/4vOiwGLQCj/EIvIixXMFkEE6NZRFmyL2Lm8p6gG6GIsuPqL8IvOi9P/FZCnqAaNVwToluN/bYtPBGhgqagGixXQFkEEOQn/FTSpqAaNVwgRAujif21bXl9dwxEHAOjIogYEyaIGxKmoBlWL7FdWU4PsXIlFtDPbiV3kZIs1KA4RAgCJdcjHRZzw+ih0x0WYQvw+5ItGDIlFoIltsMdFrBEEAI1FnIlGDIll8MdFuEL8PuSJTbyL+jPSiVXYM9KJVdSDfbwAdG2LRbyLQASLcASLRbwDcBCLzuhMaRZsRjPSiVXQjU4DgfkFARECAHcuhcl0IIPBA4Ph/PfZA8xyAjPJhRECJIvELQAQEQIAi+A74XPwi+GJZfCJTdCL0esHEQLodRZsi9CJVdTGBDIAxkQyAQDGRDICAMdF2AERAwCLRbSLQBSLEFf/ddTHRaQIEQMAi0XIiWWox0WsqAWpBsZACAD/0otNqI1hCItNyMZBCAGDPUAgkHQAdAdQ6LzzkW1Yx0WsEQQAiUXMg33UAHQUi03U6FMsh21Qi1XUi0286Ncsh23HReARBADHReT8EQMAaAMGqQbrDotFzOsgx0XkEQQA6/KDfdgAfg6DfdAAdQiLTdTokOQIbFj/4It1yIt9oIl+DIF9uEL8PuR0BejWM7RtjWX0W15fXcMRA8wRCwAgyaIGEQQAGMmiBoCnqAZVi+zosNr3/13DEQcAyqIGEQQA+MmiBoinqAZVi+xWi/GLyuiH7vf/jVYE6Ovgf22LTgSLAYtAKP9QEIXAdBLoS4AWbIXAfQmLyDPS6DpswG1eXcMRBwAwyqIGEQQAKMqiBhiqqAZVi+zoQNr3/13DEQ4APMqiBsyrqAZVi+xXVlOD7CiJRegz0olV8GSLNSgOEQIAx0XQ8PoodMdFzEL8PuSLRgyJRdSJbeTHReARBACNRdCJRgwz/4XJdAaJTfCNeQi5KKuoBujOuYBtiUXsi8j/FYCrqAaLReiLQBSLEFfHRdgEEQMAiWXcx0XgbQepBsZGCAD/0otN3I1hBMZGCAGDPUAgkHQAdAdQ6PrxkW1Yx0XgEQQAi/joC42AbYtF7Il4BIt91Il+DI1l9FteX13DEQcAWMqiBhEEAFDKogYQq6gGVYvs6FDZ9/9dwxEOAGTKogZQrKgGVYvsV1ZTg+wgiUXwZIs1KA4RAgDHRdjw+ih0x0XUQvw+5ItGDIlF3Ilt7MdF6BEEAI1F2IlGDItF8ItAFIsQUcdF4AQRAwCJZeTHReg3CKkGxkYIAP/Si03kjWEExkYIAYM9QCCQdAB0B1DoMPGRbVjHRegRBACL+OhBjIBthf8PlcAPtsCLfdyJfgwl/xEDAI1l9FteX13DEQYAdMqiBhEEAGzKogYgq6gGVYvsi0kE6KHs9/9dwxEDAIzKogYRBACEyqIGGKuoBjPSiVEEx0EIBBEDAMZBDAHGQQ0BwxEDAMTKogYRBAC0yqIGIKmoBlWL7FZQi0UIiUX4i0kE6F3s9/+L8IX2dQgzwFleXcIEAItFCItADIsI98EBEQMAdAOLSf/ov7yAbYvQi87oYucSbIvQi0UIi0AMiwj3wQERAwB0A4tJ/+jshoBtWV5dwgQRDADLogYcy6IG4KyoBlWL7FdWU4PsXIlFtDPbiV3kZIs1KA4RAgCJdcTHRZzw+ih0x0WYQvw+5ItGDIlFoIltsMdFrBEEAI1FnIlGDIll8MdFuEL8PuSJTbyL8jPSiVXUiVXYjVXUi0286K9QEGyL+MdF2AERAwAz0olVzIX2dDeLRgQRAkA9BQERAgB/K4XAdCGDwAOD4Pz32APEcgIzwIURAiSL1IHqABARAgCL4jvgc++L4Ill8IlFzP91zIvWM8noGo4WbIlF0MdF2AIRAwCLRbSLQBSLEP910FfHRaQIEQMAi0XEiWWox0WsNgqpBsZACAD/0otNqI1hCItNxMZBCAGDPUAgkHQAdAdQ6C7vkW1Yx0WsEQQAiUXIx0XgEQQAx0Xk/BEDAGh3CqkG6w6LRcjrMMdF5BEEAOvyD7ZF1IXAdAiLTbzoAFAQbIN92AF+DoN9zAB1CItN0OgM4AhsWP/gi3XEi32giX4MgX24Qvw+5HQF6FIvtG2NZfRbXl9dwxEDzBELADjLogZUy6IGgK2oBlWL7FdWU4PsUDPbiV3QiV3kZIs1KA4RAgCJdcjHRajw+ih0x0WkQvw+5ItGDIlFrIltvMdFuBEEAI1FqIlGDIll8MdFwEL8PuSJTcSL8otVCDPJiU3YjV0MM8mJTdSF0nQZi8SFEQIkg+gwi+CJZfCJRdSL+DPAjUgM86uDfdQAdBiLfdQzwI1IDPOrjUXQUIvKi1XU6OfEjm3HRdgDEQMAi03EM9LoNgmHbYvQ/3XUU1bHRbAMEQMAi0XIiWW0x0W4qwupBsZACAD/0otNtI1hDItNyMZBCAGDPUAgkHQAdAdQ6LntkW1Yx0W4EQQAi/DoyoiAbYtNxOjyUhBsiXXMx0XgEQQAx0Xk/BEDAGj7C6kG6w6LRczrOsdF5BEEAOvyg33YAn4Tg33UAHQNi03UumymqAbo48SObYN90AB0D4tN0DkJ6KPOEGwz0olV0Fj/4It1yIt9rIl+DIF9wEL8PuR0BejELbRtjWX0W15fXcIUEQMAgMuiBhEEAHTLogYAoagGVYvsV1ZTg+wQM8CJReSJReiJReyJRfCL+YvauWymqAbog7SAbYvwi86L0/8VVKaoBo1N5IsV1BZBBOh5rxVsi08Ii1cMjUXkg+wQ8w9+AGYP1gQk8w9+QAhmD9ZEJAhWi0EMi0kE/9CFwA+UwA+2wI1l9FteX13DsMuiBhEEAKjLogZEpqgGVYvs6CDU9/9dwxEGALjMogYRBACozKIGTKaoBlWL7FdWU4vxi9q5bKaoBuisuIBti8joxYwWbIlGCDPSiVYMiVYQx0YUAhEDAMdGHAERAwCJVijHRiwAARECALkgrqgG6LizgG2L+IvPi9P/FRSuqAa5IK6oBuhiuIBti8joe4wWbIvI6NRtFmyJRiCLViBqAIvP6JU8jG1bXl9dwwDNogYRBAD4zKIGBK6oBlWL7Ohw0/f/XcMRBgAkzaIGEQQAGM2iBgyuqAZVi+xXVovxi/q5IK6oBuj9t4Bti8joFowWbIlGBDPSiVYMiVYQi8/o5J+IbIlGCF5fXcMRDQDczaIGEQQA1M2iBtiHqAZVi+zoANP3/13DEQYA8M2iBhEEAOjNogbgh6gGV1ZTi/mL2rm8p6gG6IciuPqL8IvOi9PoNPgRAv+NVwTovNl/bVteX8MRAAARqAA=
----- END SNIP -----

Process Trace
1 C:\Program Files (x86)\Imploded Software\Helium 13\Helium.App.exe [4204]
2 C:\Windows\explorer.exe [3516]
3 C:\Windows\System32\userinit.exe [3408]

Thumbprint
58055cbbbfdc65b05eef40a41b09abdb89c6d89cf2481096eb6b5e44f3bb5348

Spoiler

Mitigation Shellcode

Platform 10.0.17763/x64 v761 06_5e
PID 3864
Feature 00070A30000001A2
Application C:\Program Files (x86)\Imploded Software\Helium 13\Helium.App.exe
Description Helium 13.4

Shellcode (HHP) (0x00001000 bytes)

00D1FDF2 ffd2 CALL EDX
00D1FDF4 8b4db0 MOV ECX, [EBP-0x50]
00D1FDF7 8d6104 LEA ESP, [ECX+0x4]
00D1FDFA 8b4dc8 MOV ECX, [EBP-0x38]
00D1FDFD c6410801 MOV BYTE [ECX+0x8], 0x1
00D1FE01 833d4020907400 CMP DWORD [0x74902040], 0x0
00D1FE08 7407 JZ 0xd1fe11
00D1FE0A 50 PUSH EAX
00D1FE0B e870fb6873 CALL 0x743af980
00D1FE10 58 POP EAX
00D1FE11 c745b400000000 MOV DWORD [EBP-0x4c], 0x0
00D1FE18 8945cc MOV [EBP-0x34], EAX
00D1FE1B c745e000000000 MOV DWORD [EBP-0x20], 0x0
00D1FE22 c745e4fc000000 MOV DWORD [EBP-0x1c], 0xfc
00D1FE29 6835fed100 PUSH DWORD 0xd1fe35
00D1FE2E eb0e JMP 0xd1fe3e

----- SNIP HERE -----
AAMZAQDw0QDy/dEAAPDRAAAQAAAZAgAZAkAZBwBAGQQAq6oqPxkGAMBAGQQANMXhGQUALMXhAGBoTgiIEYtEJAiIQQGLRCQEiEECwggZDgBgxeEZBQBYxeEAUGlOCIkRwxkNAHzF4RkFAHTF4QCAaU4I2UQkBNlZCMIEGQcAsMXhGQUAnMXhAOQHvwFVi+xXVlNQiU3wudjOVQjoFEC5AIvYx0ME/hkD/+geCV9ziUMIjbuoGQMAjXUo6DXtVnPoMO1WcxkGpY17aI11COgf7VZz6BrtVnMZBqWLRfCJQxCLw1lbXl9dwkAZBQDoxeEZBQDQxeEAjM5VCFWL7FdWU1CL2YN7BP51FotzCOixCF9zO8Z1CjPSiVMEiV3w6xy52M5VCOiBP7kAi/Az0olWBOiNCF9ziUYIiXXwi0XwjbiIGQMAjbOoGQMA6JvsVnPoluxWcxkGpYtF8I14SI1zaOiC7FZz6H3sVnMZBqWLQxCLVfCJQgyLwllbXl9dwxkGADzG4RkFACzG4QBMzlUIVYvsV1ZTUIvxi0YEhcB0EYP4AQ+EKgEZAgAzwFlbXl9dw8dGBBkE/41eSDgDjUMcD7YQjb6IGQMAOAeNRxwPtgAr0ItODEmLwpn3+YlGFDgDjUMcD7ZQATgHjUccD7ZAASvQi04MSYvCmff5iUYYOAONQxwPtlACOAeNRxwPtkACK9CLTgxJi8KZ9/mJRhw4A4PDHA+2UwM4B4PHHA+2RwMr0ItODEmLwpn3+YlGIDPSiVYki04kO04MD42dGQMAjb6IGQMAOAeNRxwPthiLRhQPr8ED2IHj/xkDADgHjUccD7ZAAYtWGA+v0QPCJf8ZAwCJRfA4B41HHA+2UAKLRhwPr8ED0IHi/xkDAP918FI4B4PHHA+2RwOLViAPr9EDwiX/GQMAUI1OKIvT6JeRm2rHRgQBGQMAuAEZAwBZW15fXcPHRgQZBP+LTiRBiU4ki04kO04MD4xjGQP/M8BZW15fXcMZAwCMxuEZBQCExuEAXM5VCFdWi/qDwSiL8ejK6lZz6MXqVnMZBqVeX8MZBACkxuEZBQCcxuEAPM5VCMMZDwDUx+EZBQB8x+EAFL48CFWL7IPk+FdWU4PsLIvxM9vooxugBYu4GAIZAgCLzjkJ6CgZAt9xi8iLAYtAKP9QGDgHi8+L0OhXKedxhcB8Keh2G6AFi7gYAhkCAIvO6P3e33GLyIsBi0Ao/1AYi9CLzzkJ6Eyf7XGL2IXbD4TrARkCAN1DFN1cJBDo/uxqad1EJBDf8d3Yegt2Cejt7Gpp3VwkEN1DHN1cJAjo7exqad1EJAjf8d3Yegt2Cejc7Gpp3VwkCN1DDN0cJN0EJN1EJAjYNSD20QDewd1cJCDouuxqad1EJCDf8d3Yeg52DOip7Gpp3GQkCN0cJN1DBNnA3UQkENg1KPbRAN7B3VwkIN1cJBjodOxqad1EJBjdRCQg3/Ld2XoNdgvd2Ohd7Gpp3GQkEN0EJNnu3/Hd2HoHdgXZ7t0cJNnu3/F6BnYE3djZ7rnYFs9y3VwkIOgpPLkA3UQkIN1YBFCLFbTuYwSLzujgDBFpudgWz3LoCjy5AN1EJBDdWARQixXglmMEi87owQwRabnYFs9y6Os7uQDdBCTdWARQixW47mMEi87oowwRabnYFs9y6M07uQDdRCQI3VgEUIsV7JZjBIvO6IQMEWmLzugtBHlpg+wI3Rwk6HLI53GFwHQhudgWz3LomDu5ANkFMPbRAN1YBFCLFeCWYwSLzuhNDBFpi87oNgR5aYPsCN0cJOg7yOdxhcB0IbnYFs9y6GE7uQDZBTj20QDdWARQixXslmMEi87oFgwRaYN7JAF1SLnguFlq6A47uQDHQAQCGQMAUIsVvO5jBIvO6PELEWmDxCxbXl+L5V3DuRhgBWvo5Tq5AMdABAEZAwBQixU4+WMEi87oyAsRaYPELFteX4vlXcMZHswZAwBAGQcAQBkGAEhEGQYAFkQZBABUyeEZBQBIyeEA2E8TBlWL7FaL0bmAURMG6ODOV3OL8IX2dCm54Ih2a+hYOrkAi86L0IsBi4DgGQMA/1AUgL7yGQQAdQfGhvIZAwABXl3CHBkFAIjJ4RkFAIDJ4QDcThMGVovyi9GLihgBGQIAhcl0CVaLQQyLSQT/0F7DGQYAsMnhGQUApMnhAMxPEwZVi+xWi9G5gFETBuhYzldzi/CF9nQpueCIdmvo0Dm5AIvOi9CLAYuA4BkDAP9QFIC+8xkEAHUHxobzGQMAAV5dwhwZBQC0yuEZBQBIyuEA3CozCFWL7FdWU4HsoBkDADPAiUXkiUXoiUXsiUXwi9no5xegBYvQi4N8ARkCAA+2iJEBGQIAiIohBBkCAIuDfAEZAgCAuJEBGQMAD4VtAhkCAOi6F6AFi/AZAot4AhkCADgBjVXk6GCWaGmDfewAdAXdReTrAtno3V58GQKLfAIZAgA4AY1V5OhAlmhpg33sAHQF3UXk6wLZ6Nno3/Hd2HoscyrobBegBYvwGQKLfAIZAgA4AY1V5OgSlmhpg33sAHQF3UXk6wLZ6N2ehBkDAIuztAIZAgA4BrnYFs9y6PE4uQDZ7t1YBFCLFeCWYwSLzuiqCRFpjX20D1fAZg/WB2YP1kcIi4N8AhkCAImFWBkD/90FCPzRAIPsCN0cJI1NtLoBGQMA6IZXd2mNfZSNdbTzD34GZg/WB/MPfkYIZg/WRwiLhVgZA/84ALlcuVpq6FQ4uQCNeASNdZTzD34GZg/WB/MPfkYIZg/WRwhQixV8tGMEi41YGQP/6CIJEWmNfaQPV8BmD9YHZg/WRwiLg3gCGQIAiYVUGQP/3QUQ/NEAg+wI3RwkjU2kugIZAwDo/lZ3aY19hI11pPMPfgZmD9YH8w9+RghmD9ZHCIuFVBkD/zgAuVy5WmrozDe5AI14BI11hPMPfgZmD9YH8w9+RghmD9ZHCFCLFXy0YwSLjVQZA//omggRabks9cpy6Jg3uQCL0BkCi3gCGQIAx0IEAxkDAFKLFYCtYwQ5CehzCBFpi7O0AhkCADgGiz0ga2MEuQIZAwDoayqaalCL14vO6FEIEWmLs7gCGQIAOAaLPSBrYwS5AhkDAOhJKppqUIvXi87oLwgRaYO7YAEZAwB0IouzYAEZAgA4Bos9IGtjBLkCGQMA6B4qmmpQi9eLzugECBFp6HcVoAWAuBAEGQMAD4QsAhkCABkCi3wBGQIAM9I5Cf8VQGQ1CI1l9FteX13DuSz1ynLo2Da5AIvQGQKLeAIZAgDHQgQBGQMAUosVgK1jBDkJ6LMHEWmLs7QCGQIAOAa52BbPcujVNrkA2QUY/NEA3VgEUIsV4JZjBIvO6IoHEWmNfdQPV8BmD9YHZg/WRwiLg3gCGQIAiYVgGQP/3QUg/NEAg+wI3RwkjU3UugIZAwDoZlV3aY29dBkD/4111PMPfgZmD9YH8w9+RghmD9ZHCIuFYBkD/zgAuVy5WmroMTa5AI14BI21dBkD//MPfgZmD9YH8w9+RghmD9ZHCFCLFXy0YwSLjWAZA//o/AYRaehvFKAF3YCEGQMA2ejf8XoKcgjd2NkFKPzRAI19xA9XwGYP1gdmD9ZHCIuDfAIZAgCJhVwZA/+D7AjdHCSNTcS6ARkDAOjDVHdpjb1kGQP/jXXE8w9+BmYP1gfzD35GCGYP1kcIi4VcGQP/OAC5XLlaauiONbkAjXgEjbVkGQP/8w9+BmYP1gfzD35GCGYP1kcIUIsVfLRjBIuNXBkD/+hZBhFpi7O0AhkCADgGiz0ga2MEM8noVCiaalCL14vO6DoGEWmLs7gCGQIAOAaLPSBrYwQzyeg1KJpqUIvXi87oGwYRaYO7YAEZAwB0H4uzYAEZAgA4Bos9IGtjBDPJ6A0ommpQi9eLzujzBRFp6GYToAWAuBAEGQMAdB//FUCgTgiAeFQAdBMZAot8ARkCALoBGQMAOQn/FUBkNQiNZfRbXl9dwxkUAPA/GQIAoEAZCgDwPxkCAIBDGQQAbMvhGQUAZMvhAJBBOQiLwo2R/BkDAOgz61ZzwxkCACDN4QD0zOEAEM3hAOQoMwhVi+xXVlOD7BQzwIlF4IlF5IlF6IlF7Iv5i/KLzjPSiwGLgOAZAwD/UAiLzrqo/d0A/xV8/d0Ai9i57LVZauglNLkAi/DoRqIPaY1WBOjO6lZzgU4UGQIAIACBThQZAgAIAI2XdAEZAgDoRetWc4u3dAEZAgA4A4tLBIXJdAXoMaQPaVaLFWicYwSLy+jTBBFpi498ARkCAIuHdAEZAgCNkXQBGQIA6HzqVnPrBehm71ZzjWX0W15fXcMZCQCwel4AzHpeAAR4XwBVi+xXVlOD7FSJRbwz0olV5GSLNSgOGQIAiXXIx0Wk8PoodMdFoI8xbzmLRgyJRaiJbbjHRbQZBACNRaSJRgyJZfDHRcCPMW85i9EzyYlN2DPJiU3QhdJ0N4tCBBkCQD0FARkCAH8rhcB0IYPAA4Pg/PfYA8RyAjPAhRkCJIvMgekAEBkCAIvhO+Bz74vgiWXwiUXQ/3XQuQEZAwDoW5rtcYlF1MdF2AEZAwCLRbyLQBSLEP911MdFrAQZAwCLRciJZbDHRbT0/dEAxkAIAP/Si02wjWEEi03IxkEIAYM9QCCQdAB0B1DocPtoc1jHRbQZBACJRczHReAZBADHReT8GQMAaDX+0QDrDotFzOsgx0XkGQQA6/KDfdgAfg6DfdAAdQiLTdToXuzfcVj/4It1yIt9qIl+DIF9wI8xbzl0BeikO4tzjWX0W15fXcMZAAAZjAA=
----- END SNIP -----

Process Trace
1 C:\Program Files (x86)\Imploded Software\Helium 13\Helium.App.exe [3864]
2 C:\Program Files (x86)\Imploded Software\Helium 13\Helium.App.exe [4204]
3 C:\Windows\explorer.exe [3516]
4 C:\Windows\System32\userinit.exe [3408]

Thumbprint
a7ade1501d3fcd6658dcc87d5096b80e315ff83a06cf299909157b022c3f9b12

Spoiler

Mitigation CodeCave

Platform 10.0.17763/x64 v761 06_5e
PID 10608
Feature 00070A30000005A2
Application C:\Program Files (x86)\HTTPDebuggerPro\nss\certutil.exe
Description certutil.exe

Process Protection / Code Cave Mitigation: Cold heels

Process Trace
1 C:\Program Files (x86)\HTTPDebuggerPro\nss\certutil.exe [10608]
nss\certutil -A -t "TCu" -i "C:\ProgramData\HTTPDebuggerPro\Cert\SSL\HTTP DEBUGGER CA for DEBUG ONLY 2.cer" -n "HTTP DEBUGGER CA for DEBUG ONLY 2" -d sql:"C:\Users\x\AppData\Roaming\THUNDE~1\Profiles\1VGALE~1.DEF"-f pwfile
2 C:\Program Files (x86)\HTTPDebuggerPro\HTTPDebuggerSvc.exe [10060]

Thumbprint
8d8cf9e169a7379b6a20acc4e6bb587816b51665c957676a472db9d39a521b16

What's the meaning of: Code Cave Mitigation: Cold heels ?

 

Spoiler

Mitigation Shellcode

Platform 10.0.17763/x64 v761 06_5e
PID 2912
Feature 00070A30000001A2
Application C:\Users\x\AppData\Local\SidebarDiagnostics\app-3.4.6\SidebarDiagnostics.exe
Description Sidebar Diagnostics 3.4.6

Shellcode (HHA) (0x00001000 bytes)

00007FFB36469638 ffd0 CALL RAX
00007FFB3646963A 41c6470c01 MOV BYTE [R15+0xc], 0x1
00007FFB3646963F 833daaaaec5f00 CMP DWORD [RIP+0x5fecaaaa], 0x0
00007FFB36469646 7406 JZ 0x7ffb3646964e
00007FFB36469648 ff15dab5ec5f CALL QWORD [RIP+0x5fecb5da]
00007FFB3646964E 41c6470c01 MOV BYTE [R15+0xc], 0x1
00007FFB36469653 488b5590 MOV RDX, [RBP-0x70]
00007FFB36469657 49895710 MOV [R15+0x10], RDX
00007FFB3646965B 488d65c8 LEA RSP, [RBP-0x38]
00007FFB3646965F 5b POP RBX
00007FFB36469660 5e POP RSI
00007FFB36469661 5f POP RDI
00007FFB36469662 415c POP R12
00007FFB36469664 415d POP R13
00007FFB36469666 415e POP R14
00007FFB36469668 415f POP R15

----- SNIP HERE -----
AAAlAQCQRjb7fwAAOJZGNvt/AAAAkEY2+38AAACAAQDoW7VYX14KA+hTtVhfXgsC6Eu1WF9eDQHoQ7VYX14OABg8Xzb7fwAA6DO1WF9eAACoV182+38AAOlzPAAAXwAAYFhfNvt/AADoE7VYX14AA+gLtVhfXgIC6AO1WF9eBAHo+7RYX14GAOhbXzb7fwAA6Ou0WF9eAAAoX182+38AAAAAAAAAAAAACD9eNvt/AABBV0FWQVRXVlVTSIPsMOg9+3Zdi0ggSLjwDBP2hgEAAEiLMIP5BHQIgfmAAAAAdQ9IuBANE/aGAQAASIs46w1IuAgNE/aGAQAASIs4i0YIA0cISGPASIkFXOEVAIP5BHQMgfmAAAAAD4V6AwAASLnYMBP2hgEAAEiLCegBam1dSIvYSLrgMBP2hgEAAEiLEkiLy0iLA0iLQEj/UChIi8hIuugwE/aGAQAASIsSOQnozVdtXUiL6Ei68DAT9oYBAABIixJIi8tIiwNIi0BI/1AoTIvwSLr4MBP2hgEAAEiLEkmLzkG4HAAAAEmLBkiLQHj/UAhIi8gz0kiLAEiLQFj/UBhMi/hIuviU2JP7fwAASTkXdBJJi9dIufiU2JP7fwAA6CqhXl9Fi38ISLoAMRP2hgEAAEiLEkmLzkG4HAAAAEmLBkiLQHj/UAhIi8gz0kiLAEiLQFj/UBhMi+BIuviU2JP7fwAASTkUJHQSSYvUSLn4lNiT+38AAOjSoF5fRQt8JAhIuggxE/aGAQAASIsSSYvOQbgcAAAASYsGSItAeP9QCEiLyDPSSIsASItAWP9QGEyL4Ei6+JTYk/t/AABJORQkdBJJi9RIufiU2JP7fwAA6HmgXl9Bi9dBC1QkCEmLzuh5cGhdTIvwSLoQMRP2hgEAAEiLEkiLy0iLA0iLQEj/UChIi9hIuhgxE/aGAQAASIsSSIvLQbgcAAAASIsDSItAeP9QCEiLyDPSSIsASItAWP9QGEyL+Ei6+JTYk/t/AABJORd0EkmL10i5+JTYk/t/AADo9p9eX0WLfwhIuiAxE/aGAQAASIsSSIvLQbgcAAAASIsDSItAeP9QCEiLyDPSSIsASItAWP9QGEyL4Ei6+JTYk/t/AABJORQkdBJJi9RIufiU2JP7fwAA6J6fXl9Bi9dBC1QkCEiLy+ieb2hdSIvYSLkCdGaT+38AALoGAAAA6AeTWF9Mi/hIudg+15P7fwAA6KWRWF9Mi8AzyUmJSAhJi88z0ujSrVhfSLnwPtiT+38AAOiDkVhfTIvASIsNod4VAEmJSAhJi8+6AQAAAOiorVhfSYvPTYvGugIAAADomK1YX0mLz0yLw7oDAAAA6IitWF9IufiU2JP7fwAA6DmRWF9Mi8BBx0AI/////0mLz7oEAAAA6GGtWF9IufiU2JP7fwAA6BKRWF9Mi8AzyUGJSAhJi8+6BQAAAOg8rVhfTIl8JCAzyUiJTCQoSIvNM9JFM8BFM8lIi0UASItAWP9QIEiL2Ei62D7Xk/t/AABIORN0EkiL00i52D7Xk/t/AADodp5eX0iLUwhIiRXL3RUA6yFIixXK3RUAM8lBuAAwAABBuUAAAADoF/j//0iJBajdFQBMiwWh3RUARItOCEiLzjPS6AOGY19Iix2M3RUASLk4H182+38AAOg9LVtfSIvQSIvL6CJmaF1IhcB0EUi6OB9fNvt/AABIORB0AjPASLngDBP2hgEAAEiL0OiqqlhfSIsNQ90VAESLTghNY8lJjTQJRItPCEiLz0yLxjPS6JeFY19IudAgXzb7fwAA6NgsW19Ii9BIi87ovWVoXUiFwHQRSLrQIF82+38AAEg5EHQCM8BIufgME/aGAQAASIvQ6EWqWF+QSIPEMFtdXl9BXEFeQV/DABkOCAAOUgowCVAIYAdwBsAE4ALwQAAAAAAAAAAIQF42+38AAFVBV0FWQVVBVFdWU0iD7GhIjawkoAAAAEyJVcBIi/FIi/pBi9hFi/FIjU2ISYvS6Ny4WF9Mi/hIi8xIiU2oSIvNSIlNuEiNTYhJiU8QSItNwOhqP3RfTGPDTWPOSItNwEiLSSBIiwFIi85Ii9dFM9tMi1XATIlVmEyNFQsAAABMiVWwQcZHDAD/0EHGRwwBgz2qquxfAHQG/xXatexfQcZHDAFIi1WQSYlXEEiNZchbXl9BXEFdQV5BX13DGRAJABDCDDALYApwCcAH0AXgA/ABUAAAQAAAAEhAXjb7fwAAVUFXQVZBVUFUV1ZTSIPsaEiNrCSgAAAATIlVwEiL8UiNTYhJi9LoBbhYX0iL+EiLzEiJTahIi81IiU24SI1NiEiJTxAzyeiVPnRfSI1VwEiLzujJ+nRfRTPbSItVwEiJVZhIjRUKAAAASIlVsMZHDAD/0MZHDAGDPeKp7F8AdAb/FRK17F9Ii/Do8rhYX0iLxsZHDAFIi1WQSIlXEEiNZchbXl9BXEFdQV5BX13DAAAZEAkAEMIMMAtgCnAJwAfQBeAD8AFQAABAAAAAAAAAAAAAAAAAAAAAiEBeNvt/AABVQVdBVkFVQVRXVlNIgeyoAAAASI2sJOAAAABMiVWYSIvxSI19qLkIAAAAM8Dzq0iLzkiL+YvaRYvwSYvxTIt9MEyLZThMi21ASI2NYP///0mL0uj4tlhfSIvMSIlNgEiLzUiJTZBIjY1g////SIlFoEiJSBAzyeiEPXRfSGPbTWP2SIl1wEyJfbhMiWWwTIltqEiNVZhIi8/oovl0X0yJZCQgTIlsJChIi8tJi9ZMi8ZNi89BuxAAAABMi1WYTImVcP///0yNFQ4AAABMiVWISIt1oMZGDAD/0MZGDAGDPZuo7F8AdAb/Fcuz7F+L+Oist1hfhf8PlcAPtsAPtsDGRgwBSIuVaP///0iJVhBIjWXIW15fQVxBXUFeQV9dwwAZEwoAEwEVAAwwC2AKcAnAB9AF4APwAVBAAAAAAAAAAAAAAAAAAAAAoEFeNvt/AABXVlVTSIPsKEiL8UiL+kmL2Ei5YkFeNvt/AAC6AQAAAOirjVhfSI1OCEiL0Oj/plhfSLnQKV82+38AAOhAjFhfSIvoSIt2CEiLzUiL10yLw+gD9P//SIvOTIvFM9LoXqhYX5BIg8QoW11eX8MZCAUACEIEMANQAmABcAAAQAAAAAAAAAAAAAAAEEteNvt/AABBV0FWQVVBVFdWVVNIg+xISIvxSIv6SYvYSI1OIEiL0+h7plhfSI1OCEiL1+hvplhfSIN/MAB0D0iLTzBIi0kg6CP2///rBbgVAAAAi+hIg38wAHQPSItPMEiLSSjoDvb//+sFuDoAAABEi/BIi1cwSIXSD4SSAAAASItSKEiLykiFyXReg3kIAA+UwQ+2yYXJdVCD/RV1DkiNThDo/6VYX+mPAAAASLlwLF82+38AAOg7i1hfSIvIiWkITItHME2LQChIuigxE/aGAQAASIsS6OtPbV1IjU4QSIvQ6L+lWF/rUki5cCxfNvt/AADo/opYX0iLyIlpCOgDCG1dSI1OEEiL0OiXpVhf6ypIuXAsXzb7fwAA6NaKWF9Ii8jHQQgVAAAA6NcHbV1IjU4QSIvQ6GulWF9Ii87oo/L//0iL+Ei5Em5mk/t/AAC6AQAAAOjsi1hfTIv4SbgwMRP2hgEAAE2LAEmLzzPS6MKmWF9IucgyXzb7fwAA6HOKWF9Mi+BJi8xIi9dNi8foevP//0yLRhBJi1QkCEiLy0m7qAsxNvt/AAA5CUH/E0iNThhIi9Do66RYX+j28HZdi0ggg/kEdAiB+YAAAAB1OUi5QDRfNvt/AADoF4pYX0iL+EyL/0mLz+hx8///SI1OMEmL1+itpFhfSItPCDkJ6PLAbV1Ii/jrN0i5MDpfNvt/AADo3olYX0iL+EyL/0mLz+go9P//SI1OKEmL1+h0pFhfSItPCDkJ6LnAbV1Ii/hEi38IQYvXSLnyRF42+38AAOjwilhfSI1OOEiL0OhEpFhfRTPkRYX/flNIuVA4Xzb7fwAA6H2JWF9Mi+hIi0Y4SIlEJEBEiXQkIEiJXCQoTWPETotExxBJi81Ii9ZEi83o2fL//0iLTCRAQYvUTYvF6IGlWF9B/8RFO/x/rUiDxEhbXV5fQVxBXUFeQV/DGRAJABCCDDALUApgCXAIwAbQBOAC8AAAQAAAAAAAAAAITF42+38AAFZIg+wgSIvxSIvO6CCM//89UnV8eQ+HDQEAAD2pwQ09D4eBAAAAPfJzDBl3PT2gcuIGdxs92miSAQ+ESgMAAD2gcuIGD4SVAgAA6cwGAAA9uDSrGA+EkwUAAD3ycwwZD4ScAgAA6bEGAAA9iBE3J3cbPdkNWiAPhD8EAAA9iBE3Jw+EIgUAAOmPBgAAPeOUoTAPhMABAAA9qcENPQ+E9wMAAOl0BgAAPXbOUlx3PT20llJDdxs9GT9xPw+EHQQAAD20llJDD4ScAgAA6UsGAAA98Qc1Sw+EVgUAAD12zlJcD4QZBAAA6TAGAAA9ycU6Z3cbPT//VWQPhDYDAAA9ycU6Zw+ELQEAAOkOBgAAPQbnCGoPhLMEAAA9UnV8eQ+EIAQAAOnzBQAAPda228wPh4EAAAA9jYUenHc9Pb4raIl3Gz07lGOCD4TDBAAAPb4raIkPhEQBAADpvwUAAD2KTVePD4QgBAAAPY2FHpwPhJ8CAADppAUAAD3YK/2xdxs9GVckqA+EZgIAAD3YK/2xD4QXAgAA6YIFAAA9/EVzuQ+E1QAAAD3WttvMD4RyAwAA6WcFAAA9TRa54Xc9PZ4jnNB3Gz1+mKDPD4SYAwAAPZ4jnNAPhOUAAADpPgUAAD2XZB/TD4SPAgAAPU0WueEPhGICAADpIwUAAD2g92r4dxs9SXKw9g+ESQQAAD2g92r4D4QOAQAA6QEFAAA9njEo+g+EIAEAAD2bk6r/D4SdAQAA6eYEAABIujgxE/aGAQAASIsSSIvO6DY8al2EwA+FIwQAAOnEBAAASLpAMRP2hgEAAEiLEkiLzugUPGpdhMAPhQkEAADpogQAAEi6SDET9oYBAABIixJIi87o8jtqXYTAD4XyAwAA6YAEAABIulAxE/aGAQAASIsSSIvO6NA7al2EwA+F2wMAAOleBAAASLpYMRP2hgEAAEiLEkiLzuiuO2pdhMAPhbkDAADpPAQAAEi6YDET9oYBAABIixJIi87ojDtqXYTAD4WhAwAA6RoEAABIunDXGPaGAQAASIsSSIvO6Go7al2EwA+FhgMAAOn4AwAASLp41xj2hgEAAEiLEkiLzuhIO2pdhMAPhWQDAADp1gMAAEi6gNcY9oYBAABIixJIi87oJjtqXYTAD4VJAwAA6bQDAABIuojXGPaGAQAASIsSSIvO6AQ7al2EwA+FLgMAAOmSAwAASLqQ1xj2hgEAAEiLEkiLzujiOmpdhMAPhRMDAADpcAMAAEi6mNcY9oYBAABIixJIi87owDpqXUiLEkiLzuhIO2pdhMAPhWQDJQIA6dYDJQIASLqA1xj2
----- END SNIP -----

Thumbprint
4a9226086dec44be8db97b4ec38c67fe5ac8d77ae3f1c70fefd7ee700ae1b7e3

 

@Sand,
I notice you use build 761 beta.
So why not post your reports in the dedicated beta thread?

 

yes it blocks keys to be typed at user logon with zemana,

 

I was just informed, that an update will be installed on next boot.
On next logon I got a BSOD, critical process died...
On next boot I could logon normally, and MMP.A was updated to build 763, without beta.

No further issues, so far

 

is this some real attack or false positive I wonder
since I installed HMPA all I can see is that I am being attacked

 

Forrás
HitmanPro.Alert

Összegzés
Működésképtelenné vált

Dátum
‎2018. ‎10. ‎16. 7:14

Állapot
Jelentés elküldve

Leírás
A hibát okozó alkalmazás elérési útja: C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe

Probléma-aláírás
Problémaesemény neve: BEX
Alkalmazásnév: hmpalert.exe
Alkalmazásverzió: 3.7.9.759
Alkalmazás időbélyegzője: 5b996535
Hiba – modul neve: hmpalert.exe
Hiba – modul verziója: 3.7.9.759
Hiba – modul időbélyegzője: 5b996535
Kivétel – eltolás: 001e726f
Kivételkód: c0000409
Kivételadatok: 00000005
Operációs rendszer verziója: 10.0.17134.2.0.0.256.48
Területibeállítás-azonosító: 1038
További információk 1: 325b
További információk 2: 325b17914d7c69fcb5ae54b92ef7e694
További információk 3: 9f2f
További információk 4: 9f2f0d6ebe382aa18a98c2de19ad454a

További adatok a problémáról
Gyűjtőazonosító: 52fb4a4147ee170152e293fbeb4bc643 (1360812747612997187)

I've put F-Secure Online Scanner.exe in the exploit mitigation exceptions. It is OK.

 

What is now? I did not do anything and now I see it being protected by Hitman.Pro.Alert by ESET Banking & Payment protection. So far I have not seen this. Does Hitman.Pro.Alert protect ESET's browser right now? Hitman.Pro.Alert v. 3.7.9 build 759., ESET IS v. 11.2.63.0, Windows 10 64bit Pro v. 1803 build 17134.345, Firefox 62.0.3 (64 bites).

 

Ok, this may sound dumb, but what exactly is "Local Priv Mitigation" in HMPA? I just noticed today that Firefox is not being protected by HMPA when using Sandboxie. I see a number of code and memory mitigations in the Firefox HMPA profile but I cannot locate the Local Priv mitigation.